1. Field of the Invention
The present invention relates to dynamic network security, and more particularly, to a dynamic network security system and method using a firewall.
2. Description of the Related Art
Security is one of the most important problems in networks at the present time. Various kinds of network security apparatus and methods have been used, and a firewall is one such network security apparatus. The firewall is used to protect against external attacks by being located at a point where its own group and an outside network such as the Internet are connected and allowing only certain services when connecting to the outside network. If the firewall is not used, all hosts within the group are vulnerable to attack from the outside.
There are various schemes for configuring firewalls, and a packet filtering scheme is generally used for firewalls using IP technologies. In the packet filtering scheme, a firewall is configured to pass only certain packets in order to avoid external attack. When packets are received, a firewall using the packet filtering scheme judges whether to pass or block the packets based on information within the packets, such as IP/Port numbers, and then passes or blocks them accordingly.
A firewall stores predetermined firewall rules for judging whether to pass or block received packets and operates based on the firewall rules. If packets are received, the firewall judges whether to pass or block the received packets with reference to the firewall rules, and then passes or blocks the packets accordingly. Therefore, information on which packets are to be passed must be previously registered in the firewall rules. Information such as IPs, port numbers, and protocols can be included in the firewall rules.
Current networks support VoIP (Voice over Internet Protocol) packets, and the amount of packets used in such networks has been increasing day by day. However, VoIP packets use dynamic IPs and ports. In the case of such packets using dynamic IPs and ports, a firewall operates as follows:
If received packets do not use a port that is well-known by the firewall, there is no way for the firewall to judge whether or not dynamic IPs and ports are applied. Thus, the firewall rules must be set to limit a range of IPs and ports for which packets are allowed to pass through the firewall.
Furthermore, a firewall is limited by VoIP services in a network environment where private IPs are used. The VoIP services need an ALG (Application Level Gateway) to use the private IPs and must use public IPs if there is no ALG. As a matter of course, in VoIP services using private IPs or public IPs, corresponding IPs, ports, and the like must previously be open to the firewall.
However, as for packets using dynamic IPs and ports, predetermined IPs and ports are not always applied to firewall rules. As a result, firewalls cannot be configured reliably.